Information security professionals often talk about developing technical skills, but having the ability to navigate an organization and the people within it is often overlooked. You should be intimate with your organization's solutions and tools. However, you must also consider your security controls and their objectives. There are pertinent questions that should be asked to gain useful information that can be used to support decisions like: What is risk? How do we measure it? How do we better allocate resources to reduce it? Are security controls cost-effective? Are their objectives well-defined?
There are plenty of auditing and compliance check boxes to be ticked and even more vendors and products to choose from. As I'm sure you know, there is much less money in the information security budget. This is why it is important to build relationships with other organizational stakeholders to define and reduce risk.
We must define risk before we can reduce it. Ask questions for clarification. Do your research. What are the crown jewels? Where are they located? How are they currently being protected? How much will the loss of the crown jewels cost the organization? Your manager is most certainly not going to have time to hold your hand and disseminate each application along with its purpose and the classification of data being transmitted, processed or stored. Talking with members of different teams will help you see the bigger picture, then you can effectively develop or improve your information security strategy.
The Governance, Risk and Compliance (GRC) team often recommends security controls that have been prescribed by industry standards. Red teams continue to evade basic defenses and ineffective controls. Action plans are created and then implemented by blue teams. It's a constant game of catch up. There is clearly a disconnect between GRC and defensive and offensive teams in many organizations. In some organizations these teams work against each other, reducing positive team synergy.
Information security risk is often measured by a nominal scale (e.g. High, Medium, Low). Security risk indicators seem to be quantitatively assessed, but in reality they are smoke and mirrors that can be reduced to calculations only understood by data analysts. Are high risk vulnerabilities being reduced? Or are you under the presumption that they are being reduced? If you have a conversation about aged vulnerabilities and it doesn't include patching those with critical CVSS scores, the answer is most likely the latter.
Understanding your organization's culture and having a conversation with other employees about it will help you identify opportunities or areas that might need improvement. Reach out to an asset owner if you notice that the vulnerabilities for a subset of their assets are not being patched over time. Perhaps you are not actually being notified of group policy changes and devices are not meeting new configuration standards. Strategic mistakes can cascade down to tactical failures.
An organization's information security program can also seem increasingly complex when your company's headquarters is in a different location. Vulnerability scans might be performed at different times in different places, which can create confusion and produce inaccurate results. Build relationships with other teams to understand the information, processes and systems they use to do their jobs. You'd be surprised how much information you can gather from a couple of conversations.
Employees should be praised for their honesty, not reprimanded. Positive reinforcement should also be leveraged. This is especially useful during phishing simulation tests. For example, reward employees with a $5 Starbucks gift card for reporting suspicious emails.
A lack of communication will hinder your organization's ability to identify, measure, monitor and report risk. You might recall Equifax's chief executive blaming a single employee for its data breach in 2017. "Blame culture" inhibits communication between organizational units as employees are reluctant to admit mistakes. Communication between OU's should be actively encouraged. Building positive relationships throughout an organization enables teams to work collaboratively to identify solutions.
If you enjoyed this blog, please buy me a coffee. https://www.buymeacoffee.com/cassiecage